Software Bill of Materials (SBOM) report

A software Bill of Materials (SBOM) is a list of all the open source and third-party components present in a codebase. An SBOM also lists the licenses that govern those components, the versions of the components used in the codebase, and their patch status, which allows security teams to quickly identify any associated security or license risks. See the individual SPDX and CycloneDX mapping entries for additional details on fields found in their SBOM reports.

You can export your SBOM report for a specific project version. SBOM reports can also be used to import project information into Black Duck.

To run a Software Bill of Materials report at the project version level:

Select the project name using the Watching or My Projects dashboard. The Project Name page appears.
Select the version of the project for which you want to run the report.
Select the Reports tab.
Click + Create New Report and select Software Bill of Materials (SBOM).
Select a SBOM template from the Template dropdown menu. The default SBOM template will automatically be selected, but can be changed if desired.
Select the desired SBOM specification:
Select the desired Report Format:
- JSON (CycloneDX SBOM reports only support this format)
- YAML
- RDF
- tag:value
Optionally, you can expand the Template Details to see the fields included in the selected SBOM template.
Click Create to run the report.
Click the link to download and view the report.

Note: If the Don't generate SBOM reports for projects with policy violations option has been enabled for this project's group and the project has policy violations, the option to generation a SBOM report will be disabled.

What fields are imported from SBOMs

When importing Software Bill of Materials (SBOMs), not all fields are processed by Black Duck SCA. Understanding which specific fields are considered is essential for users to effectively utilize SBOM functionality and ensure comprehensive vulnerability management. This section outlines the fields that Black Duck SCA evaluates during the SBOM import process, providing greater transparency into the detailed SPDX functionality and how it can be leveraged in your projects.

Table 1. SBOM Fields Imported by Black Duck
Field	CycloneDX	SPDX 2.x	SPDX 3.x	Notes
Component/Package Name	`Component.name` Reference	`Package.name` Reference	`Software.Package.name` Reference 1 Reference 2	Mandatory, the whole import fails if even a single Component does not have the name field (an empty value in the name field causes no failure) Always exported
Component/Package BlackDuck IDs	`Property` with names `BlackDuck-Component`, `BlackDuck-ComponentVersion`, `BlackDuck-ComponentOrigin` Reference	`ExternalRef` with types `BlackDuck-Component`, `BlackDuck-ComponentVersion`, `BlackDuck-ComponentOrigin` Reference	`ExternalRef` with types `BlackDuck-Component`, `BlackDuck-ComponentVersion`, `BlackDuck-ComponentOrigin` Reference	Optional, used for matching (OriginID > VersionID > ComponentID) Always exported
Component/Package URL	`Component.purl` Reference	`ExternalRef` with type `purl` Reference	`ExternalIdentifier` with type `purl` Reference	Optional, used for matching Export controlled by template
Component/Package Version	`Component.version` Reference	`Package.versionInfo` Reference	`Software.Package.packageVersion` Reference 1 Reference 2	Optional Always exported
Component/Package Supplier	`Component.supplier` Reference	`Package.supplier` Reference	`Software.Package.suppliedBy` Reference 1 Reference 2	Optional Only persisted for matched Components Export controlled by template
Component/Package Originators	`Component.authors` Reference	`Package.originator` Reference	`Software.Package.originatedBy` Reference 1 Reference 2	Optional / Export only, not persisted during import Export controlled by template
Component/Package CPE	`Component.cpe` Reference	`ExternalRef` with type `cpe22Type` or `cpe23Type` Reference	`ExternalIdentifier` with type `cpe` Reference	Optional Only persisted for matched Components Export controlled by template
Component/Package Hash	`Component.hashes[0].content` Reference	`Package.checksums[0].value` Reference	`Software.Package.verifiedUsing` Reference 1 Reference 2 Reference 3 Reference 4	Optional Only first hash persisted in import Export controlled by template
Component/Package Hash Algorithm	`Component.hashes[0].alg` Reference	`Package.checksums[0].algorithm` Reference	`Software.Package.verifiedUsing` Reference 1 Reference 2 Reference 3 Reference 4	Optional Only the algorithm of the first hash persisted in import Export controlled by template
Component/Package Comment	N/A	`Package.comment` Reference	`Software.Package.comment` Reference 1 Reference 2	Optional Only persisted for matched Components Export controlled by template
Component/Package Valid Until Date	N/A	`Package.validUntilDate` Reference	`Software.Package.validUntilTime` Reference 1 Reference 2	Optional Only persisted for matched Components Export controlled by template
Component/Package Download Location	`ExternalReference` with type `distribution` Reference	`Package.downloadLocation` Reference	`Software.Package.downloadLocation` Reference 1 Reference 2	Optional Only persisted for matched Components Export controlled by template
Component/Package Usage	N/A CycloneDX has no `RelationshipTypes`, so we always assign `HAS_PREREQUISITE`	`RelationshipType` Reference	`Core.relationshipType` Reference	Optional Only persisted for matched Components Always exported
Component/Package Declared License	N/A	`Package.licenseDeclared` Reference	`Relationship with hasDeclaredLicense` Reference 1 Reference 2	Optional, during import used only during Component auto-creation functionality, not persisted (used for finding out the License for the Custom Component)
Component/Package Concluded License	`Component.licenses` Reference	`Package.licenseConcluded` Reference	`Relationship` with `hasConcludedLicense` Reference 1 Reference 2	Optional, during import used only during Component auto-creation functionality, not persisted (used for finding out the License for the Custom Component)
Component/Package Declared License Comment	N/A	`Package.licenseComments` Reference	`Relationship` with `comment` (e.g., `hasDeclaredLicense`) Reference 1 Reference 2	Optional Only persisted for matched Components Export controlled by template
SBOM Type	`Metadata.lifecycles.phase` Reference	N/A	`Software.sbomType` Reference 1 Reference 2	Optional Export controlled by template

Ignored SBOM fields during import

CycloneDX

Additional Component/Package checksums/hashes & algorithms after first one
Relationships and Relationship comments
Originators beyond author parsing
All properties except the BlackDuck-Component,BlackDuck-ComponentVersion and BlackDuck-ComponentOrigin
Non-DISTRIBUTION external references (they’re parsed but only distribution used for the downloadLocation)
Additional supplier contacts after the the first email

SPDX SBOM

Additional Component/Package checksums/hashes & algorithms after first one
Relationships and Relationship comments beyond RelationshipType (SPDX 2.x and SPDX 3.x), and Licenses (SPDX 3.x)
Originators beyond author parsing